Re: [PATCH net] ax25: Fix refcount leak issues of ax25_dev

[duoming]

On Tue, 7 May 2024 11:08:14 +0300 Dan Carpenter wrote:
> I have reviewed this code some more.  My theory is:
> 
> ax25_dev_device_up() <- sets refcount to 1
> ax25_dev_device_down() <- set refcount to 0 and frees it
> 
> If the refcount is not 1 at ax25_dev_device_down() then something is
> screwed up.  So why do we even need more refcounting than that?  But
> apparently we do.  I don't really understand networking that well so
> maybe we can have lingering connections after the device is down.

We do need more reference count. Because there is a race condition 
between ax25_bind() and the cleanup routine.

The cleanup routine is consisted of three parts: ax25_kill_by_device(),
ax25_rt_device_down() and ax25_dev_device_down(). The ax25_kill_by_device()
is used to cleanup the connections and the ax25_dev_device_down() is used
to cleanup the device. If we call ax25_bind() and ax25_connect() between
the window of ax25_kill_by_device() and ax25_dev_device_down(), the ax25_dev
is freed in ax25_dev_device_down(). When we call ax25_release() to release
the connections, the UAF bugs will happen. 

Best regards,
Duoming Zhou